Medical Records Retrieval for Physicians

The Health Insurance Portability and Accountability Act (HIPAA), which was passed by Congress in 1996, specifies who can access or retrieve a patient’s medical records. This law set limits on the use and release of medical records, and established a series of privacy standards for health care providers. A provider’s security and privacy obligations under HIPAA are fundamentally unchanged by transitioning to an EMR system, but may require adjustments in practice.

While the health care provider owns a patient’s medical records, the patient has a right to access and ask for copies of the original medical record. Providers may not charge patients for locating and providing access to these files, but may charge “reasonable fees” for making copies, if so requested. The limits of “reasonable fees” are set by state law and vary widely. HIPAA does not prohibit charging attorneys or insurers a search and retrieval fee in addition to any copying fees.

Note that HIPAA requires medical records to be retained by a provider for at least six years after either the later of the date of creation or the date when last in effect.

In addition to specifying access rights for patients and limiting fees they may be charged, HIPAA also limits disclosure or release of patient medical records to third parties without patient authorization.

This is a complex area, but in general patient medical information may be shared for the purposes of treatment, payment, and health care operation without patient authorization.

In the case of other providers who are covered entities, patient authorization is also not required for disclosure to another health care provider for patient treatment or payment. Patient authorization is not required for health care operations if the receiving party also has a relationship with the patient and the information disclosed is used for performing care quality assessment, performance review or training, or for fraud detection.

There are other situations, such as receiving a subpoena from a court, where patient authorization may not be needed, but in many cases the patient must be informed and given the opportunity to legally object to the subpoena or court order prior to the release of information.

TAKEAWAYS

HIPAA requires medical records to be retained by a provider for at least six years after either the later of the date of creation or the date when last in effect.

Providers may not charge patients for retrieving and making medical records available. They may charge reasonable fees for copies, and limits on these fees are set at the state level.

Providers may charge fees to attorneys and others who legally request file retrieval in addition to cost of making copies.